b"                        Sensitive Technology Information\n                           Was Posted on the Internet\n\n                                     February 2004\n\n                        Reference Number: 2004-20-046\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review\nprocess and information determined to be restricted from public release has been redacted from\n                                        this document.\n\x0c                                        DEPARTMENT OF THE TREASURY\n                                          WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                             February 27, 2004\n\n\n          MEMORANDUM FOR CHIEF, MISSION ASSURANCE\n                         CHIEF INFORMATION OFFICER\n\n\n          FROM:                  Gordon C. Milbourn III\n                                 Acting Deputy Inspector General for Audit\n\n          SUBJECT:               Final Audit Report - Sensitive Technology Information Was\n                                 Posted on the Internet (Audit # 200320041)\n\n          This report presents the results of our review to determine whether sensitive Internal\n          Revenue Service (IRS) information could be obtained on the Internet.\n          In summary, sensitive information relating to IRS computer systems was posted on the\n          IRS\xe2\x80\x99 Internet web sites and third-party web sites. This information included detailed\n          Modernization blueprint documents and the Internal Revenue Manual on Information\n          Technology (IT), which the IRS has designated as Official Use Only (OUO). We also\n          found several newsgroup postings that divulged specific hardware and software used by\n          the IRS, including detailed information regarding a major production system. With this\n          information, a hacker would have a better opportunity to successfully attack the IRS\xe2\x80\x99\n          infrastructure and potentially gain access to taxpayer information.\n          The IRS can control information on its web sites and, to some extent, what is available\n          on third-party web sites. The information posted to third-party web sites appears to\n          have been gleaned from the IRS\xe2\x80\x99 own web sites and from presentations given by IRS\n          employees.\n          Neither the employees responsible for providing information for Internet sites nor the\n          employees responsible for adding the information to the web sites evaluated the\n          sensitivity of the information, other than to ensure taxpayer information was not posted.\n          The IRS has no guidelines to assist employees in assessing security risks before\n          posting information on the Internet.\n          The IRS Office of Mission Assurance has initiated efforts to establish standardized\n          procedures and guidelines for reviewing and classifying sensitive information, which\n          includes information to be posted on the Internet. As of December 2003, this Handbook\n          was in draft format. The draft Handbook addresses the issue of unnecessarily posting\n\x0c                                            2\n\nsensitive information on the Internet, but does not contain specific examples of what\nshould and should not be allowed.\nThe risk of divulging sensitive information could also be limited if employees complied\nwith the IRS\xe2\x80\x99 Internet usage policy. The Internet policy prohibits the posting of agency\ninformation to existing sites without approval from the appropriate management official.\nWe recommended that the Chief, Mission Assurance, continue efforts on finalizing the\nprocedures, guidelines and training material for identifying sensitive information;\ncoordinate with the Office of Electronic Tax Administration, the Office of Servicewide\nPolicy, Directives, and Electronic Research, and the Office of Governmental Liaison and\nDisclosure to distribute the guidelines throughout the IRS; and periodically remind all\nemployees and contractors of the IRS\xe2\x80\x99 Internet Usage Policy. For the Procurement web\nsite, we recommended that the Chief Information Officer restrict access to sensitive\ncontracting information by assigning user accounts and passwords to only those with a\nneed to know.\nManagement\xe2\x80\x99s Response: The Chief, Mission Assurance, concurred with our\nrecommendations. The Office of Mission Assurance will finalize guidelines for\nidentifying OUO information, develop training modules for use by document owners,\nensure training material is fully integrated in existing policies and procedures, and\ninclude special emphasis on disclosure of IT information in its annual Security\nAwareness training. To restrict sensitive technical information on the Procurement web\nsite, the Director, Procurement, has implemented the Federal Technical Data Solution,\na web-based application that uses user accounts and passwords for access.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg,\nAssistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\x0c                                         Sensitive Technology Information\n                                            Was Posted on the Internet\n\n\n\n\n                                                  Table of Contents\n\n\nBackground .............................................................................................. Page   1\nSensitive Internal Revenue Service\nInformation Is Available on the Internet .................................................... Page               1\n         Recommendation 1: .........................................................................Page 6\n         Recommendations 2 and 3: .............................................................Page 7\n         Recommendation 4: .........................................................................Page 8\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology...................... Page                               9\nAppendix II \xe2\x80\x93 Major Contributors to This Report ...................................... Page 11\nAppendix III \xe2\x80\x93 Report Distribution List ...................................................... Page 12\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ................... Page 13\n\x0c                              Sensitive Technology Information\n                                 Was Posted on the Internet\n\n                                    The Internet offers a vast library of information to millions\n Background\n                                    of computer users. The Internal Revenue Service (IRS)\n                                    makes wide use of the Internet to provide important\n                                    information to the general public and to contractors\n                                    interested in conducting business with the IRS. To facilitate\n                                    effective customer service, the IRS has placed many of its\n                                    policies and procedures on the Internet to assist taxpayers\n                                    and practitioners.\n                                    The Internet has no rules governing the content of\n                                    information available to users, and virtually anyone can post\n                                    information to web sites. As a result, the IRS is faced with\n                                    the risk that employees could knowingly or unknowingly\n                                    make sensitive information available to the public.\n                                    Although there are other avenues used to share information,\n                                    such as IRS-sponsored tax forums and public briefings, we\n                                    focused our review on sensitive IRS technology information\n                                    available on the Internet. Hackers routinely search the\n                                    Internet for useful information prior to attacking a target\n                                    organization. For example, if a hacker can identify the type\n                                    of hardware or software used by an organization, he or she\n                                    could potentially exploit the known vulnerabilities\n                                    associated with those components. The IRS must be\n                                    particularly mindful of the security risks associated with\n                                    posting technology information on the Internet to prevent\n                                    unauthorized access to tax information.\n                                    This audit was conducted at the IRS National Headquarters\n                                    in Washington, D.C., from June through December 2003 in\n                                    accordance with Government Auditing Standards. Detailed\n                                    information on our audit objective, scope, and methodology\n                                    is presented in Appendix I. Major contributors to the report\n                                    are listed in Appendix II.\n                                    Sensitive information relating to IRS computer systems was\nSensitive Internal Revenue\n                                    posted on the Internet. Applying the same techniques we\nService Information Is Available\n                                    used, hackers can easily find this information and use it to\non the Internet\n                                    attack the IRS\xe2\x80\x99 infrastructure and potentially gain access to\n                                    tax information.\n                                    We categorized our results into three areas. Specifically,\n                                    sensitive information was:\n                                      - Posted on IRS Internet web sites.\n                                                                                         Page 1\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n          - Communicated by IRS employees on Internet\n            newsgroups.\n          - Posted by outsiders on the Internet.\n      The IRS can control information on its web sites and, to\n      some extent, what is available on third-party web sites by\n      establishing policies and guidelines for protecting sensitive\n      IRS information. The risk of divulging sensitive\n      information, however, is directly dependent on employees\xe2\x80\x99\n      familiarity and compliance with those policies and\n      guidelines.\n      Sensitive information posted on IRS web sites\n      An agency\xe2\x80\x99s most direct path for providing information to\n      the public is often its own Internet web site. Agencies must\n      strike a balance between providing appropriate information\n      and offering too much information. We searched through\n      the IRS\xe2\x80\x99 two public web sites1 and identified information\n      that we believe should not have been available to the public.\n      Specifically, on the IRS Procurement web site, we\n      identified:\n      \xe2\x80\xa2    IRS Modernization blueprint documents. These\n           documents contained information on the IRS\xe2\x80\x99\n           infrastructure, including hardware and software to be\n           used in specific Modernization projects.\n      \xe2\x80\xa2    The Internal Revenue Manual (IRM), Part II,\n           Information Technology. In September 2002, the IRS\n           Technology Security Committee decided to reclassify\n           this section of the Manual as Official Use Only (OUO)\n           and remove it from public access. The Manual contains\n           sensitive technology information, including password\n           policy and computer operating systems and software\n           used.\n\n\n\n\n      1\n        The two IRS web sites accessible for public use are the IRS\xe2\x80\x99\n      Procurement web site and the IRS\xe2\x80\x99 Digital Daily. There are other IRS\n      web sites designed for specific business purposes, and they are restricted\n      from general public viewing.\n\n                                                                      Page 2\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n      \xe2\x80\xa2   IRS internal Internet Protocol addresses and Domain\n          Name System names, along with the platforms and\n          applications used.\n      \xe2\x80\xa2   IRS floor plans of a computing center. This document\n          contained the location and the number of IRS occupied\n          floors, including the computer room location.\n      On the IRS Digital Daily web site, we identified:\n      \xe2\x80\xa2   The Statistics of Income (SOI) computer infrastructure.\n          An SOI web page presented a recruiting announcement\n          that contained specific information on computer\n          platforms, operating systems, and applications used\n          within its office. The SOI web pages also identified\n          office locations.\n      Both Procurement and SOI personnel stated they only\n      performed a cursory review of the documents and did not\n      consider the inherent security risks associated with the\n      information we found. Procurement personnel stated that\n      their role is to serve as the administrative function for\n      placing the contents onto the web page. They also stated\n      that business units dictate the contents of their postings,\n      especially for contract solicitations. Business unit owners\n      stated that they did not review for, and were not aware of,\n      the risks of posting sensitive information, though they did\n      ensure they did not disclose taxpayer information.\n      The Department of Homeland Security requires executive\n      branch agencies to develop procedures to \xe2\x80\x9cidentify and\n      safeguard homeland security information that is sensitive\n      but unclassified\xe2\x80\x9d and recently proposed regulations\n      designed to protect critical infrastructure information from\n      disclosure to the general public. The IRS had no policy or\n      guidelines for information being posted to agency web sites\n      regarding security concerns. The Electronic Tax\n      Administration office developed local procedures on content\n      reviews for the IRS\xe2\x80\x99 Digital Daily, but the procedures did\n      not address security risks.\n      The IRS Office of Mission Assurance has drafted a\n      Sensitivity Handbook to standardize procedures and\n      guidelines for reviewing and classifying sensitive\n      information, including information to be posted on the\n                                                           Page 3\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n      Internet. The Handbook, still in draft as of December 2003,\n      addresses the issue of unnecessarily posting sensitive\n      information on the Internet, but does not contain specific\n      examples of what should and should not be posted. The\n      Mission Assurance senior advisor assigned to oversee the\n      development of the Handbook stated that they are aware of\n      this deficiency and are in the process of developing training\n      modules to address the technical and social issues related to\n      posting sensitive information on the Internet.\n      Sensitive information communicated by IRS employees\n      on newsgroups\n      IRS employees can also post agency information on Internet\n      newsgroup web sites.2 Internet newsgroups provide an open\n      forum where any Internet user can post questions or respond\n      to questions posted on the forum. In the IT industry, these\n      newsgroups enable users to share information and get\n      practical solutions to technical computer problems.\n      Generally, users will provide their business email address as\n      their username for these postings.\n      We found approximately 830 postings where IRS\n      employees posted questions and answers on newsgroup web\n      sites. In all instances, the employees used their official IRS\n      email addresses (employee first name.employee last\n      name@irs.gov).\n      We judgmentally selected and reviewed 256 of the\n      newsgroup postings and found 84 that contained sensitive\n      IRS computer information. Of the 84 postings, 77 were\n      from @irs.gov authors and 7 were from @ci.irs.gov authors.\n      The postings divulged specific hardware and software used\n      by the IRS, including detailed information regarding a major\n      production system. For example:\n      \xe2\x80\xa2   In a Microsoft SQL server newsgroup, an IRS employee\n          stated that she was unable to successfully install service\n          pack 3 to a Microsoft SQL server, version 7.0. A hacker\n          could track this information along with related\n\n\n      2\n        Examples of newsgroup web sites include Microsoft (e.g.,\n      Microsoft.public.xxx with xxx being a specific MS program) and IBM\n      (e.g., bit.listserv.ibm-main) newsgroups.\n                                                                Page 4\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n          information from the National Institute of Standards and\n          Technology web site, which shows there are\n          11 vulnerabilities with SQL 7.0 running service pack 2.\n      \xe2\x80\xa2   In a Microsoft Internet Explorer newsgroup, an IRS\n          employee stated he had attempted to install service\n          pack 1 on Internet Explorer, version 5.5, but ran into\n          problems that he did not encounter without the service\n          pack. A hacker could ascertain from this posting that\n          the IRS had workstations without service pack 1\n          installed. As of the date of the posting in March 2001,\n          there were 10 published vulnerabilities. As of\n          October 2003, there were 86 published vulnerabilities\n          for this situation.\n      The risk of divulging sensitive information could be limited\n      if employees complied with the IRS\xe2\x80\x99 Internet usage policy.\n      The policy contains strict prohibitions against posting\n      agency information to external newsgroups, bulletin boards,\n      or other public forums without approval from the\n      appropriate management official. The IRS employees were\n      either not aware of the prohibitions or ignored them for the\n      convenience of asking knowledgeable persons outside the\n      IRS for advice. In either case, the security risks were not\n      addressed.\n      Newsgroup and bulletin board postings are controlled by\n      independent organizations and may be retained on the\n      Internet for a long time. Some of the sensitive information\n      identified during our research dated back to April 1998.\n      Sensitive information posted by outsiders on the Internet\n      As part of our review, we conducted Internet searches on\n      certain key words3 in conjunction with the phrase \xe2\x80\x9cIRS.\xe2\x80\x9d\n      We identified over 68,000 matches when searching for these\n      key words. While judgmentally reviewing over 1,000 of\n      these matches, we identified IRS sensitive information that\n      had been posted on commercial or private web sites. Using\n      this information, a hacker would have a better opportunity\n\n\n      3\n       Examples of key words included \xe2\x80\x9cfirewall,\xe2\x80\x9d \xe2\x80\x9cLEM\xe2\x80\x9d (Law\n      Enforcement Manual), \xe2\x80\x9cSTIR\xe2\x80\x9d (Security and Technology Infrastructure\n      Release), and \xe2\x80\x9cOracle.\xe2\x80\x9d\n                                                                Page 5\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n      to attack the IRS\xe2\x80\x99 infrastructure. We found the following\n      examples of IRS sensitive information placed by outside\n      individuals or organizations:\n         \xe2\x80\xa2   News articles with IRS technology describing the\n             Secure Dial-In project in extensive detail.\n         \xe2\x80\xa2   Solicitation for contract work containing sensitive\n             information relating to the IRS\xe2\x80\x99 password policy.\n         \xe2\x80\xa2   Network diagram of the IRS\xe2\x80\x99 Security and\n             Technology Infrastructure Release (STIR) on a\n             non-IRS website illustrated the IRS\xe2\x80\x99 three-portal\n             strategy. The STIR is the security architecture for\n             the IRS\xe2\x80\x99 modernized systems.\n         \xe2\x80\xa2   A section of the Law Enforcement Manual on a\n             non-IRS website.\n         \xe2\x80\xa2   A job resum\xc3\xa9 of a former IRS employee that\n             divulged hardware, software, and versions of IRS\n             computer systems.\n      These postings were outside the control of the IRS.\n      However, in most of these instances, the information posted\n      appears to have been obtained from the IRS web sites at one\n      time or from other internal sources, such as presentations\n      given by IRS employees. Sufficient attention had not been\n      paid to the security risks of providing sensitive computer\n      information.\n\n      Recommendations\n\n      The Chief, Mission Assurance, should:\n      1. Continue efforts to finalize procedures and guidelines\n         for identifying sensitive information. The draft\n         Sensitivity Handbook should address both information\n         provided on the IRS Internet sites and the distribution of\n         information to third parties. We suggest that the\n         Handbook provide examples to demonstrate what\n         information should and should not be posted. Training\n         modules on this material should be developed for use by\n         each business unit.\n\n\n                                                           Page 6\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n         Management\xe2\x80\x99s Response: The Chief, Mission\n         Assurance, will finalize guidelines for identifying OUO\n         information and develop training modules for use by\n         document owners in each business area.\n      2. Coordinate with the Office of Electronic Tax\n         Administration; the Office of Servicewide Policy,\n         Directives, and Electronic Research; and the Office of\n         Governmental Liaison and Disclosure to ensure that the\n         guidelines are distributed throughout the IRS to Internet\n         content providers, IRM authors, and Disclosure Officers,\n         so they are aware of their responsibilities to identify and\n         properly classify sensitive information prior to posting\n         to the Internet.\n         Management\xe2\x80\x99s Response: The Chief, Mission\n         Assurance, will coordinate with the offices in our\n         recommendation to ensure that the OUO guidance and\n         training material are fully integrated in existing\n         information classification, document management, and\n         disclosure policies and procedures.\n      3. Periodically remind all employees and contractors of the\n         IRS\xe2\x80\x99 Internet Usage Policy implemented in May 2002.\n         Emphasize the reasons why it is important not to\n         disclose sensitive information, particularly when using\n         newsgroups.\n         Management\xe2\x80\x99s Response: The Office of Mission\n         Assurance will include special emphasis on disclosure\n         risks related to IT information in its annual Security\n         Awareness training. It will work with the Office of\n         Communication and the Office of Governmental Liaison\n         and Disclosure to develop employee communications in\n         this area in the interim.\n\n\n\n\n                                                           Page 7\n\x0cSensitive Technology Information\n   Was Posted on the Internet\n\n      The Chief Information Officer should:\n      4. Restrict access to sensitive contracting information on\n         the Procurement web site to only those with a need to\n         know. We recognize that certain sensitive information\n         is pertinent for the solicitation of contractors and needs\n         to be accessible on the web site. Portions of the web site\n         containing sensitive information should be separated\n         from the general information web pages. In addition,\n         user accounts and passwords should be required to\n         access sensitive areas.\n         Management\xe2\x80\x99s Response: On October 1, 2003, the\n         Director, Procurement, implemented the Federal\n         Technical Data Solution to post sensitive technical\n         information during the solicitation phase of the\n         acquisition cycle on its web site. This web-based\n         application uses user accounts and passwords to control\n         and restrict access to sensitive information.\n\n\n\n\n                                                          Page 8\n\x0c                                    Sensitive Technology Information\n                                       Was Posted on the Internet\n\n                                                                                                      Appendix I\n\n\n                           Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether sensitive Internal Revenue Service\n(IRS) information could be obtained from the Internet.\nI.       To evaluate the adequacy of security policies and procedures that have been established\n         to guide IRS employees in placing information on the Internet, we:\n         A.       Reviewed written guidance issued by the IRS and the Department of the Treasury,\n                  including Internal Revenue Manual 25.10 (Information Technology Security\n                  Policy and Standards), Policy on Limited Personal Use of Technology, IRS Policy\n                  on Electronic Communications, Guidance for All IRS Personnel on Internet\n                  Access from Government Computers, Treasury Directive 87-04 (Personal Use of\n                  Government Office Equipment Including Information Technology), and\n                  Guidelines to Identify Sensitive Information.\n         B.       Researched other related Federal Government guidance, including issuances by\n                  the National Institute for Standards and Technology and the General Accounting\n                  Office.\nII.      To evaluate the effectiveness of security policies and procedures implemented for placing\n         information on the Internet, we:\n         A.       Conducted an Internet search using Google for known hardware and software\n                  used by the IRS; for newsgroup postings with authors such as @irs.gov,\n                  @ci.irs.gov, @csirc.irs.gov, @irs.treas.gov, and @irs.ustreas.gov; and for other\n                  public forums that the IRS employees may post sensitive IRS information\n                  technology (IT) security information without authorization.\n         B.       Identified over 68,000 matches from our Internet search queries. Based on\n                  the preview text of the queries,1 we judgmentally selected and reviewed\n                  256 newsgroup matches and 1,012 other postings for sensitive IRS computer\n                  information.\n         C.       Scanned the IRS\xe2\x80\x99 two public web sites \xe2\x80\x93 the IRS\xe2\x80\x99 Procurement and Digital Daily\n                  web sites \xe2\x80\x93 for sensitive IT security information.\n\n\n\n\n1\n The Internet search provided results in order starting from the highest to lowest potential for matching the query\ncriteria. We were then able to judgmentally select those matches that contained sensitive information.\n\n\n                                                                                                             Page 9\n\x0c                   Sensitive Technology Information\n                      Was Posted on the Internet\n\nD.   Contracted with an outside vendor to identify sensitive IRS IT information on the\n     Internet.\nE.   Contacted IRS personnel to identify security policies and procedures implemented\n     for placing information on the Internet and the reasons why sensitive IT security\n     information was posted on the Internet.\n\n\n\n\n                                                                               Page 10\n\x0c                            Sensitive Technology Information\n                               Was Posted on the Internet\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nCharles Ekholm, Auditor\n\n\n\n\n                                                                                         Page 11\n\x0c                            Sensitive Technology Information\n                               Was Posted on the Internet\n\n                                                                              Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Agency-Wide Shared Services OS:A\nChief, Communications and Liaison CL\nChief, Information Technology Services OS:CIO:I\nDirector, Electronic Tax Administration OS:CIO:I:ET\nDirector, Office of Governmental Liaison and Disclosure CL:GLD\nDirector, Office of Research, Analysis, and Statistics RAS\nDirector, Office of Servicewide Policy, Directives, and Electronic Research RAS:SPDER\nDirector, Procurement OS:A:P\nDirector, Web Services OS:CIO:I:W\nActing Director, Portfolio Management OS:CIO:R:PM\nActing Director, Regulatory Compliance OS:MA:RC\nActing Director, Strategy, Program Management, and Personnel Security OS:MA:SP\nDeputy Chief Financial Officer, Department of the Treasury\nAudit Liaisons:\n        Chief, Mission Assurance OS:MA\n        Chief Information Officer OS:CIO:M\n\n\n\n\n                                                                                    Page 12\n\x0c                               Sensitive.Technology lnformation\n                                  Was Posted on the Internet\n\n                                                                                                 Appendix IV\n\n\n                     Management's Response to the Draft Report\n\n\n                                    6FYA&YkE&Xkr\n                            DEPAR~M~W ~\n                                 INTERNAL RWFNUE SERVICE\n                                   WWHINGTO)I.D.C. 20124\n\n                                          8 ; ... i   '   ..\n\n\n\n\n    MEMORANDUM FOR ACTING DEPUTY INSPECTOR GENERAL FOR AUDIT\n\n    FROM:                  Daniel Galik    %&d\n                           Chief Mission Assurance 0S:MA\n\n    SUBJECT:                                      -\n                           Draft Audit Report Sensitive InformationTechnology Data Was\n                           Posted on th%ht&rpetJAudit# 200320041)\n                                           . -\n    While requiring the development of information classlfication and management\n    procedures for Sensiti~ebut Unclasslfied (SBU) homeland security and crltlcal\n    infrastructure information, neither the Office of Management and Budget nor the\n    Department of Homeland Security has developed detailed auidance for executive\n    branch agencles for this effort. despite the absence of su& direction, the Internal\n    Revenue Servlce has developed signifidant policy for classlfication of information,\n    document management, and subsequent information release. IRM 1.9.3, Safeguarding\n    National Securlly lnformatlon and lF&l 11t332, Classificationof Documents are our\n    primary reference sources. AS a ge8'dra~:njj3classification of such SBU Information\n    wlthln IRS, Offlclal Use Only (OUO) and Limited Official Use (LOU) category\n    designation, Is done by the business owner in conjunction with the Office of Disclosum.\n    Once lnformatlon receives a classification designation, current policy requires consistent\n    treatment regardless of medium of transmission.\n\n    Balancing lnformatlon sharing requirements, public rights to access, and\n    securily/p~ivacyconcerns has always been challenging. Nowhere has this been truer\n    than in the area of information technology (IT) data. Your report understandably\n,   focuses on this particular category ef;informatlon, and we concur that there is a need for\n    further guidance in this area. We SCIQgeStMat you eliminate global references to\n    senslthfe IRS information that detract from the IT emphasis in your report.\n\n    Unlike Section 6103 data. there are no clear formulas for desianatina OUO or LOU\n    lnformatlon technology information. General references to hardwars platform types and\n    owretina environments do not. in and of themselves, create a sufficient risk to warrant\n    these designations. Even discussions of service pack and patch versions are not\n    necessarily rlsky In the absence of detailed information on security configurations and\n    system deployments. Of the'examp!gsyou, cited, we agree with your assessment of\n    sensitivity for the IT information on the Procurement web site and on third party web\n    sites only.\n\n\n\n\n                                                                                                     Page 13\n\x0c                           Sensitive Technology Information\n                             Was Posted on the Internet\n\n\n\n\n Iam pleased to inform you that Recommendation 4 of your report has already been fully\n implemented. With the implementation of the Federal Technlcal Data Solution\n (FedTeDS) October 1, 2003, sensitive contracting information is no longer posted on\n Ihe Procurementweb site. FedTeDS is a web-based application that safeguards\n'sensltlve technical information during the solicltatlon phase of the acquisition cycle. It\n provldes user accounts and passwords for access to this information. The Office of\n Procurement owns and manages the Procurement Web Site and is the responsible\n business area for this recommendation. Mlsslon Assurance Is committed to completmg\n our work, on your other three recommendations, this fiscal year. Please see the\n attached Corrective Action Plan for more detail.\n\nWe appreciate the opportunity to comment on this draft audit report. Please contact me\non (202) 622-8910 if you would like to discuss this further. Technical questions may be\ndirected to Deborah England. She can be reached on (202) 622-4561.\n\nAttachment\n\ncc: Dlrector, Procurement 0S:A:P\n    Chief InformallonOfflcer 0S:CIO..    :\n\n\n    Director, Office of Governmental Liaison and Disclosure CL:GLD\n    Dlrector, Office of Servicewide Policy, Directives,\n     and Electronic Research RAS:SPDER\n    Director, ElectronicTax Administration 0S:CIO:I:ET\n\n\n\n\n                                                                                              Page 14\n\x0c                       Sensitive Technology Information\n                         Was Posted on the Internet\n\n\n\n\n                                                  -\nManagement Response to Draft Audlt Report Sensltlve lnformatlon\nTechnology Data Was Posted on the Internet (Audl! # 200320041)\n\nRECOMMENDATION # 1: The Chief, Mission Assurance should - Continue\nefforts to finalize procedures and guidelines for identifying sensitive information.\nThe draft Sensitivity Handbook should address both information provided on the\nIRS Internet sites and the dlstrlbution of information to third parties. We suggest\nthat the Handbook provide examples to demonstrate what data should and\nshould not be posted. Training modules on this material should be developed for\nuse by each buslness unit.\n\n\nCORRECTIVE ACTION TO RECOMMENDATION#I:                    The Chief, Mission\nAssurance will finalize guidelines for identifying OUO information. Training\nmodules on the material will be developed for use by document owners in each\nbuslness area.\n\n\nIMPLEMENTATIONDATE:\nOctober 2005\n\n\nRESPONSIBLE OFFICIAL:\nDirector, Assurance Programs 0S:MA:AP\n\n\nCORRECTIVE ACTION MONITORING PLAN:\nOverall programmatic responsibility for monitoring implementation of all\ncorrective actions is centralized with the Office of Mission Assurance. Mission\nAssurance will report program status as part of its Business Performance Review\non a quarterly basis.\n\n\n\n\n                                                                                       Page 15\n\x0c                        Sensitive Technology Information\n                          Was Posted on the lnternet\n\n\n\n\nManagement Response to Drafl Audlt Report - Sensltlve lnformetlon\nTechnology Data Was Posted on the Internet (Audlt # 200320041)\n\n\nRECOMMENDATION1 2 : 'The Chief, Mission Assurance should - Coordinate\nwlth the Office of ElectronicTax Administration; the Officeof Servicewide Pollcy,\nDirectives, and Electronic Research; and the Office of Governmental Liaison and\nDisclosure to ensure that the guidelines are distributed throughout the IRS to\nInternet content providers, IRM authors, and Disclosure Officers, so they are\naware of thelr responsibilitiesto i d e n t i and properly classify sensitive\ninformation prior to posting to the Internet.\n\n\nCORRECTIVE ACTION TO RECOMMENDATION#2: The Chlef, Mlsslon\nAssurance will coordinate with the Office of ElectronicTax Administration; the\nOffice of Servicewide Pollcy, Directives, and Electronic Research, and the Office\nof Governmental Liaison and Disclosure to ensure that the OUO guidance\ntraining material is fully integrated in existing information classificatlon, document\nmanagement, and disclosure policies and procedures.\n\n\nIMPLEMENTATION DATE:\n                                           -\nInterim OUO Guidance Training Material October 2004\nFinal OUO Guidance Training Material - October 2005\n\n\nRESPONSIBLE OFFICIAL:\nDirector, Assurance Programs 0S:MA:AP\n\n\nOORRECTIVE ACTION MONITORING PLAN:\nOverall programmatic responsibility for monitoring implementation of all\ncorrective actions is centralized with the Office of Mission Assurance. Mission\nAssurance will report program status as part of Its Business Performance Review\non a quarterly basis.\n\n\n\n\n                                                                                         Page 16\n\x0c                      Sensitive Technology Information\n                        Was Posted on the lnternet\n\n\n\n\nManagement Response to Draft AudR Report - Sensltlve lnformatlon\nTechnology Data Was Posted on the Internet (Audit # 200320041)\n\n\n                                                                  -\nRECOMMENDATION C 3: The Chief, Mlssion Assurance should Periodically\nremind all employees and contractors of the IRS' Internet Usage Policy\nImplemented In May 2002. Emphasizethe reasons why it is Important not to\ndlsclose sensitive inforrnatlon, particularly when using newsgroups.\n\nCORRECTIVE ACTION TO RECOMMENDATION#3: The m i c e of Mission\nAssurance will include special emphasis on disclosure risks related to IT\nlnformatlon In its annual Security Awareness training. Further, it will work with\nthe Offlce of Communication and Government Liaison and Disclosureto develop\nemployee communications in this area in the interim.\n\n\nIMPLEMENTATION DATE:\nSeptember 2004\n\n\nRESPONSIBLE OFFICIAL:\nDirector, Assurance Programs 0S:MA:AP\n\n\nCORRECTIVE ACTION MONITORING PLAN:\nOverall programmatic responsibility for monitoring implementation of all\ncorrective actions is centralized with the Office of Mission Assurance. Mission\nAssurance will report program status as part of Its Buslness Performance Review\non a quarterly basis.\n\n\n\n\n                                                                                    Page 17\n\x0c                      Sensitive Technology lnformation\n                        Was Posted on the lnternet\n\n\n\n\n                                                 -\nManagement Response to Draft Audlt Report Sensltlve Information\nTechnology Data Was Posted on the Internet (Audlt # 200320041)\n\n RECOMMENDATION # 4: The Chief Information Officer should Restrict-\naccess to sensitive contracting informationon the Procurement web slte to only\nthose with a need to know. We recognize that certain sensitive data is pertinent\nfor the solicitatioil of contractors and needs to be accessible on the web site.\nPortions of the web site containing sensitive informationshould be separated\nfrom the general informationweb pages. In addition, user accounts and\npasswords should be required to access sensitive areas.\n\nCORRECTIVE ACTION TO RECOMMENDATION#4: On October I,                    2003, the\nDirector, Procurement implemented the Federal Technical Data Solution\n(FedTeDS) to post sensitive technical information during the solicitation phase of\nthe acquisition cycle. This web-based application utilizes user accounts and\npasswords for access lo this information.\n\n\nIMPLEMENTATION DATE:\nCompleted - October 1,2003\n\n\nRESPONSIBLE OFFICIAL:\nDirector, Procurement 0S:A:P\n\n\nCORRECTIVE ACTION MONITORING PLAN: Completed.\n\n\n\n\n                                                                                     Page 18\n\x0c"